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6 May 1983 


MEMORANDUM FOR: 
FROM: 

SUBJECT : 


Director, Intelligence Community Staff 
Deputy Director of Central Intelligence 
Minimum Computer Security Standards 


1 I would like you to develop 7 Community-coordinated minimum 

S^STsriSlfSiS Evaluation^ ?Enter " s c'r^eri a 
for computer security as a starting point. 

2. Please advise how much time you think you will need to complete 
this effort. 
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^ohn N. McMahon 
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0C1/ICS 83-4383 
6 June 1983 


MEMORANDUM FOR: Deputy Director of Central Intelligence 


FROM: 

Director, Intelligence Community Staff 
SUBJECT: Minimum Computer Security Standards 

REFERENCE: Your Memorandum dated 6 May 1983; Same Subject 



'l . Minimum standards regarding computer security are probably the most 
difficult to determine. We need to balance a good understanding of the 
vulnerabilities and the threat coupled with some agreed upon tolerable level 
of "ri sk." We do not have the knowledge or experience to do so at the present 
time . 


2. Formal computer standards generally require fjye_ to seven years t o 
develop, to coordinate, and to introduce effectively into the inffa^ 
structure. In general, technical criteria are relatively easy to prepare and 
even to reach agreement upon. Policy implications (turf), com p! lance 
auditing, and cost (whose budget) are issues that take longer. 


3. 1 suggest a dual approach which will provide rapid improvements and 

will permit early applications, along with a longer term effort. The 
imposition of standards is expensive and, if they are mandatory, will be even 
more costly. This dual approach equates to setting near-term action 
priorities with specific follow-through on supporting the associated costs, 
and in a more deliberate pace, to develop and coordinate the more broadly 
applicable standard or standards through the existing mechanism of thp 
Computer Security Subcommittee of SECOM under the applicable DCIDs. 


4. An approach which appears practical and likely to reduce 
vulnerabilities of "critical" systems on a "fast-track" basis would be 
described as follows: 


a. Identify those few critical systems which must meet a set of 
mandatory standards; for systems not designated as critical, impose the 
standards as voluntary for a transition period. This will allow budgets 
to "catch up" with the costs of imposed standards. 


b. Specify a set of vulnerabilities which by any criteria generate 
the greatest threat and highest risk; develop, promulgate and impose 
mandatory standards that will reduce these high threat and risk areas to 
an acceptable threshold. 
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c. Set up Task Groups to generate proposed policies and standards-- 
mandatory in some cases, voluntary in others; as soon as the scope of 
each standard is sufficiently defined, determine sc hedule and costs of 
implementation and means for validating adherence. 


5. The vulnerabilities which generate the greatest risk are at the same 
time amenable to "quick-fix" improvements. The proposed areas to be 
considered are: 


a . Access Procedures 


By individuals through terminals across networks to 
remotely located data bases. 

By individuals who directly access "computer centers" and 
data bases (either on-line or off-line). 

By regular computer- to-computer transfer of information 
without scheduled manual checks. 

b. Dissemination or Security Control "Labelling" of Informa tion 
Upon entry to computer data bases. 

When transmitted from or produced by computer systems for 
any purpose over any media. 


c. 


Dissemination or Security Control Accountability 

Presently, there appears to be no automatic accountability 
system to monitor and serve as record keeper for computer- 
based information storage and retrieval systems. Such 
systems are an absolute necessity if any mea su re of 
electronic information security is to exist. 


Guidelines for such automatic accountability and 
requirements for developing automated accountability are 
the prarti ral fi rst surrogates for standards in this 
i nstance . 

6 Existing organizational or committee structures can and should be 
used to develop these first highest priority set of Critical Electronic 
I nformation Security Standards and Guidelines . IHC, SECOM, Cl, ISS, CSEC and 
the DIA D0DI1S Office are among the best candidates for handling these tasks, 
and there is a natural split of res ponsibility among the proposed Critical Set 
of Standards and Guidelines. 
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acceptable to you 
about 90 davs. I 


, then some 
would 1 i ke 


7. If the basic approach outlined above is 
first products could be off the drawing board in 
to discuss this further with you and to include|_ 

We will then proceed to get agreement from our newly formed ELINFOSEC 

Steering Group (ESG). (U) 


Kear Admira i , u:>n 


SECRET 
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The Director of Central Intelligence 

Wfcshmpon D C 20505 


NFIC-9.11/1 
22 January 1985 

MEMORANDUM FOR: See Distribution 

SUBJECT: Reports on Computer Security for SCI-Handl ing Systems 


1. The DCI's Computer Security (COMPUSEC) Project began in April 1983 and 
is intended to support the DCI in assessing the security of automated systems 
processing information derived from sensitive methods and sources, to identify 
the threats to automated systems processing such materials, and to recommend 
actions for the P CI that wi ll allow him to attest to the acceptability of 

25X1 operating risks. 

2. As part of the DCI's COMPUSEC Project, the COMPUSEC Project Team 
developed an assessment on the threat to US automated Intelligence Community 
systems (See Attachment 1). Representatives from the NFIC Community have 
provided input to this document. This formulation of the "threat" is being 
used in conjunction with security assessments of the Intelligence Community's 
"critical" automated SCI systems to set program and budget priorities for 
immediate security upgrades. This threat point paper also s erves to fulfill 

25X1 one of the DCI's continuing distinctive responsibilities. 

o 

3. The SAFEGUARDS document (Attachment 2) identifies security 
requirements for the protection of SCI information in the "critical" systems 
evaluated as part of the DCI's Computer Security (COMPUSEC) Project. When 
fully implemented in the "critical" systems, the SAFEGUARDS will correct the 
security shortfalls and reduce to an acceptable level the risks currently 
associated with processing this sensitive Information in the "critical" 
systems. I intend to direct that the SAFEGUARDS be imposed as mandatory 
standards for the 13 "critical" SCI-handling systems by the end of FY 86. 

These SAFEGUARDS will also be imposed as voluntary standards for other 

25X1 SCI-handling systems. 

4. In June 1984, an Interagency Computer Security Technology Panel was 
established to assess the application of computer security technologies 
against known operational deficiencies within Intelligence Community computer 
systems. The panel focused on what could be done, in the near term, with 
existing computer security technology and administrative/management actions to 
provide security upgrades for our "critical" systems. Specific emphasis was 
given to three areas of computer security vulnerability: authentication of 

WARNING NOTICE CL BY SIGNER 

INTELLIGENCE SOURCES DECL OADR 

OR METHODS INVOLVED 


Approved For Release 2009/08/06 : CIA-RDP89B01354R0001 001 70003-0 





25X1 


Approved For Release 2009/08/06 : CIA-RDP89B01354R0001 001 70003-0 


SUBJECT: Reports on Computer Security for SCI-Handling Systems 


25X1 

25X1 


25X1 


users; accountability of operating actions; and labeling of SCI Information. 
The findings and recommendations of the Technology Panel are provided to you 
for your use and comment (See Attachment 3). When these "action-oriented" 
recommendations are arrayed against the identified vulnerabilities of the 
"critical" systems and the threat against them, it will lead to a plan for 
significant improvement in Community COMPUSEC. I intend to pursue these 
reconvnendatlons, in coordination with other computer security initiat ives, 
strengthen the protection of SCI material in computer-based systems. 


to 


5. These documents are also being provi ded t o the appropriate officials 
with responsibilities assigned by NSDD/145. \ 


Atta chments: 

1) „ 

2) Computer Security Technology Assessment Report 

3) Uniform SAFEGUARDS for Protection of "Critical 

Systems" Processing Intelligence Information 
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SUBJECT: Reports on Computer Security for SCI-Handling Systems 


Distribution: 

Copy 1 - DCI (William J. Casey) 

2 - SecDef (Caspar W. Weinberger) 

3 - DDCI (John N. McMahon) 

4 - EXDIR/CIA (Jim T avlor) 

5 - ASD(C^I) -- --- - 25X1 

6 - D/INR (Hugh Montgomery) 

7 - D/D I A (LtGen James A. Williams, USA) 

8 - D/NSA (LtGen Lincoln D. Faurer, USAF) 

9 - D/DNI (Rear Admiral John Butts, USN) 

10 - Assistant Director, Intel. Div., FBI (Edward J. O'Malley) 

11 - DOE/DAS, Intelligence (Charles Boykin) 

12 - Treasury (Douglas Mulholland) 

13 - Air Force, Under Secretary (Edward C. Aldridge, Jr.) 

14 - Army /ACS I (LtGen William E. Odom, USA) 

15 - Air Force/ACSI (MajGen James C. Pfautz, USAF) 

16 - USMC/DI (BG Lloyd W. Smith, USMC) 

17 - NSC (Ken deGraffenreid) 

18 - National Security Advisor (Robert McFarlane) 

19 - DUSD/P (Gen. Richard G. Stilwell, USA Ret.) 

20 - Justice Dept (Mary C. Lawton) 

21 - DOC (Irving P. Margulies) 

22 - Chm/IPC/CIA (Richard Kerr) 


(w/att 2 only--3 copies) 
2 only--15 copies) 

2 only--2 copies) 

1 - OSD ( Gene Epperl y) (w/att 2 only--3 copies) 

25X1 1 - SECOM i ( w/att 2 only--5 copies) 

25X1 1 -I I (w/att 2 only--5 copies) 


25X1 1 - 0S/C/ISSG_ 

25X1 1 _ DIA/RSE j (w/att 

1 - State (Lynn McNulty) w/att 
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